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CN ' An abstract framework of canonical inference is used to explore how different proof orderings 

f^ , induce different variants of saturation and completeness. Notions like completion, paramodula- 

fl\ 1 tion, saturation, redundancy elimination, and rewrite-system reduction are connected to proof 

r^^ ' orderings. Fairness of deductive mechanisms is defined in terms of proof orderings, distinguishing 

between (ordinary) "fairness," which yields completeness, and "uniform fairness," which yields 

saturation. 
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fT^ , They are not capable to ground a canonicity of universal consistency. 

^ ! —Alexandra Deligiorgi (HAIAEIA, 1998) 
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"^ ■ 1. INTRODUCTION 



For effective automated reasoning, the ability to ignore irrelevant data is just as im- 
^ , portant as the capability to derive consequences from given information. Thus, the- 

orem provers generally incorporate various mechanisms for controlling the growth 
of the collection of inferred formulae or derived goals. It is a challenge, however, 
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to ensure that such rules for simphfication or deletion of formulae do not impinge 
upon the completeness of the resulting theorem proving strategy. 

One class of inference engines that make heavy use of simplification includes the 
Knuth-Bcndix completion procedure for equational inference [Knuth and Bendix 
f 970] and Buchberger's Grobner-basis algorithm for polynomial ideals [Buchberger 
1985]. These forward-reasoning systems aim at generating sets of formulae that 
are "complete" in the sense that completion can provide a rewriting-based decision 
procedure for validity in the given equational theory, and that the Grobner basis is 
similarly used to decide membership in the ideal. Ballantyne (cited in [Dershowitz 
ct al. 1988]) and Metivier [1983] took note of the fact that the fully reduced result 
of completion is unique for given axioms and term ordering. 

Brown [1975], for the Horn case, and Lankford [1975], for the general case, showed 
how to combine equational completion with clausal resolution improving on the 
original paramodulation [Robinson and Wos 1969], a line of investigation that later 
produced methods based on ordered resolution and ordered paramodulation [Hsiang 
and Rusinowitch 1991; Bachmair and Ganzinger 1994; Nieuwenhuis and Rubio 
2001]. Huet [1981] showed how Knuth's completion procedure can also play the 
role of an incomplete prover for equational validity. Hsiang and Rusinowitch [1987] 
and Bachmair, Dershowitz and Plaisted [Bachmair et al. 1989] designed unfailing 
versions of completion without compromising the powerful role of simplification in 
controlling the completion process, cfr In the following sections, we suggest that 
proof orderings, rather than formula orderings, take center stage in theorem proving 
with contraction (simplification and deletion of formulae). Given a specific proof 
ordering, completeness of a set of formulae — which we refer to as a presentation — 
will mean that all derivable theorems enjoy a minimal proof, while completeness 
of an inference system will mean that all formulae needed as premises in such ideal 
proofs can be inferred. This formalism is very flexible, since it allows small proofs 
to use large premises, and vice-versa. 

Well-founded orderings of proofs, as developed in [Bachmair and Dershowitz 
1994], distinguish between cheap "direct" proofs, those that are of a computational 
flavor (e.g. rewrite proofs), and expensive "indirect" proofs, those that are discov- 
ered after performing a search (e.g. equational proofs). These proof orderings are 
lifted from orderings on terms and formulae. Given a formula ordering, one can, 
of course, choose to compare proofs by simply comparing (the multiset of) their 
premises. 

Our proof-ordering based approach to deduction suggests generalizations of the 
current concepts of "saturation," "redundancy," and "fairness." Saturated, for us, 
will mean that all cheap proofs are supported, as opposed to completeness which 
makes do with one minimal proof per theorem. Accordingly, we define two notions 
of fairness: a fair derivation generates a complete set in the limit, while a uniformly 
fair derivation generates a saturated limit. By considering different orderings on 
proofs, one gets different kinds of saturated sets. The notion of saturation in the- 
orem proving, in which superfluous deductions are not necessary for completeness, 
was suggested in [Rusinowitch 1991]. In our terminology: A presentation was said 
to be saturated when all inferrible formulae are syntactically subsumed by formulae 
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in the presentation.-'^ 

We also define redundancy in terms of the proof ordering, as propounded in 
[Bonacina and Hsiang 1995] : A sentence is redundant if adding it to the presentation 
does not decrease any minimal proof. (See Bonacina 1992, Chap. 2.) The definition 
of redundancy in [Bachmair and Ganzinger 1994] — an inference is redundant if its 
conclusion can be inferred from smaller formulae — coincides with ours when proofs 
are measured first by their maximal premises. In [Bachmair and Ganzinger 1994; 
2001; Nieuwenhuis and Rubio 2001], saturated means that every possible inference 
is redundant. 

The present work continues the development of an abstract theory of "canonical 
inference," begun in [Dershowitz and Kirchner 2006], which, in turn, grew out of 
the theory of rewriting (see, for example, Dershowitz and Plaisted 2001; Terese 
2003) and deduction (see, for example, Bonacina 1999; Bachmair and Ganzinger 
2001; Nieuwenhuis and Rubio 2001). Although we will use ground equations as an 
illustrative example, this framework applies equally well in the first-order setting, 
whether equational or clausal. Our motivations and contributions are primarily 
aesthetic and intellectual: 

— organizing the theory of "canonical inference" in an architecture with primi- 
tive objects (such as presentations and proofs), their properties (canonical presen- 
tations, normal-form proofs), mappings between objects (inferences, derivations), 
their properties (good inferences, fair derivations), and theorems that state the 
weakest possible sufficient conditions for the desirable properties; 

— keeping the treatment throughout as abstract as possible, so as to maximize 
generality, without losing sight of concrete instances; 

— providing a terminology that is simultaneously general and precise; and 

— assembling a notation that is at the same time elegant, compact, and helpful. 

Since good theory produces the simplicity of concepts and clarity of priorities that 
are key to the building of strong systems, our hope is that this work might also 
nurture practical applications. 

The next section sets the stage, with basic notions and notations, and introduces 
a running example. To keep this paper self-contained. Section 3 recapitulates rele- 
vant definitions and results from [Dershowitz and Kirchner 2006].^ Specifically, the 
canonical basis of an abstract deductive system is defined in three equivalent ways: 
(1) formulae appearing in minimal proofs; (2) minimal trivial theorems; (3) non- 
redundant lemmata. Section 4 articulates the abstract framework, by introducing 
inferences and proof procedures, providing proofs with structure, and characteriz- 
ing good inference sequences. Sections 5-7 carry out the study of derivation and 



-•^In [Rusinowitch 1991], the language is clausal, and a clause C subsumes a clause D if there is a 
substitution a such that C'a C D and C does not have more literals than does D. We refer to this 
as "syntactic subsumption" to distinguish it from the general semantic principle, under which C 
subsumes D if ^ \/xC =► '^yD, where x and y are the variables of C and D, respectively. 
^The study in [Dershowitz and Kirchner 2006] is concerned with defining abstract properties 
of sets of formulae. It is extended here with notions, such as fairness, that describe properties 
of derivations. That paper is about properties of objects (presentations); we study properties 
required of processes (derivations) so as to generate the desired presentations. 
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completion processes. Finally, we close with a discussion, including related work 
and connections with the praxis of theorem proving. 

2. ORDERED PROOF SYSTEMS 

Let A be the set of all formula? (ground equations and disequations, in our examples) 
over sonic fixed vocabulary. Let P be the set of all (ground equational) proofs. These 
sets of abstract objects are linked by two functions: Pm : P ^ 2^^ gives the premises 
(assumptions) in a proof, and C/ : P — > A gives its conclusion. For example, if p G P 
is a proof oi a = b, a = c \- f{b, c) — f{c, b), then [p] is {a — b,a — c} and [p]ci 
is /(6, c) — f{c, b). Both functions extend to sets of proofs in the usual fashion. 

The framework proposed here is predicated on two well-founded partial orderings 
over P: a proof ordering > and a subproof relation >. They are related by a 
monotonicity requirement given below (Eq. 7). If the best proof of a theorem c 
requires some lemma 6, this monotonicity condition precludes the possibility that 
the best proof of b turn around and use c, since then ultimately both b and c would 
be needed to support all ideal proofs, and there would be no "localized" way of 
knowing when a formula is never needed and truly redundant. On the other hand, 
this monotonicity condition does allow b to be better in some proof contexts and c 
in others. 

For convenience, we assume that the proof ordering only compares proofs with 
the same conclusion (p > q => [p]ci = McOj rather than mention this condition 
each time we have cause to compare proofs. 

We use the standard notation A\- c, for premises A C A and conclusion c G A, 
to mean that there exists a proof p G P such that [p] ^"^ — A and \p] ci = c. We will 
use the term presentation to mean a set of formulae, and justification to mean a set 
of proofs. Given a presentation A, the set of all proofs using all or some premises 
of A is denoted by:"^ 

Pf{A) = {peP'-ipf"" CA} 

We reserve the term theory for deductively-closed presentations. Let Th A denote 
the theory of presentation A, that is, the set of conclusions of all proofs with 
premises in A: 



ThA = {[p]cr-peV, [pf"^ CA} ^ [PfiA)] 



ci 



Presentations A and B are equivalent {A — B) if their theories are identical [Th A = 
ThB). 
We presume the following standard properties of Tarskian consequence relations: 

A^ c => A\JB^ c (1) 

A Q ThA (2) 

ThThA = ThA (3) 

for all A, B and c. It follows from the definition of Th that 

ThA C Th{A\JB) (4) 



^We use = and = for definitions. 
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Thus, Th is a closure operation. On account of the (left) weakening property (1), 
we need not distinguish between A\- c meaning that there is a proof of c using all 
the premises A, or using just some. 

As a very simple running example, let the vocabulary consist of the constant 
and unary symbol s. Abbreviate tally terms s*0 as numeral i. The set A consists of 
all unorrfereti equations i = j; so symmetry is built into the structure of proofs. (We 
postpone dealing with disequations for the time being.) An equational inference 
system (with this vocabulary) might consist of the following five inference rules: 

p i=J i=k ^ 



° z 


i = J 


= 


i = j 


^-.? ^ 


a c 



St ~ sj c I ^ k 

where boxes surround premises, Z is an axiom, I introduces premises, and S infers 
i + 1 = j + 1 from a proof of z = j. Proof-tree branches of the transitivity rule T are 
unordered. Projections P allow irrelevant premises to be ignored and are needed to 
accommodate monotonicity (Eq. 1). 

For example, if A = {4 = 2, 4 = 0}, then 

ThA = {i=j:i=j (mod 2)} 

Consider the proof schemata: 





n 





= 


1 


= 1 





\4, = 2 

"4^2 
5^3" 



Pa 



4=2 i-j -1=1 



2 = i - .?■ = 2 

* - J - 



I = t I + i = I + z i = .] 

where po is a proof oi i — j — 2 = 0. Let's use proof terms for proofs, denoting 
the above three trees (from left to right) by p == S'^Z, q = S'*/(4, 2) and r = 
S^T(T{I{4,0),I{A,2)),SS{po)). Thus, [p]^™ =0, [g]^™ = {4 = 2}, and [r]ci is the 
formula i = j. 

With a (multiset) recursive path ordering [Dcrshowitz 1982] to order proofs, and 
a precedence Z<S'<r</<P<0<l<2<--- on proof combinators and 
vocabulary symbols, the minimal proof of a theorem in Th A takes one of the forms 

S^ (V4fe=o) S^ (V4fe=2) 

where the subproofs V4A;=o a-nd \7ik=2 are defined recursively: 

Vo=2 = T(V4=0,V4=2) 
^4{k+l)=Q 

^4:{k+l) 

We call a proof trivial when it proves its only premise and has no subproofs other 
than itself, that is, if [p]^™ = {[p]ci} and p^ q ^ p = q. We denote by a h a or a 
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such a trivial proof of a G A, and by A the set of trivial proofs of each a E A. For 
example, 4=0 = /(4, 0). 

We assume that premises appear in proofs (5), that subproofs do not use non- 
extant premises (6), and that proof orderings are monotonic with respect to (re- 
placement of) subproofs (7). Specifically, for all proois p,q,r and formulae a: 

ae [pf'" ^ p\>a (5) 

p>q ^ [pf"' D [qf"" (6) 

p> q> r => 3v e Pf{[{p, r}]^™). p> v>r (7) 

We make no other assumptions regarding proofs or their structure. 

The intuition for assumption (5), "proofs use their premises," is related to the 
distinction between proof and derivation. Informally, a derivation contains all for- 
mulae generated by a deduction mechanism from a given input, while a proof of 
a formula generated during the derivation contains all, and only, the formulae in- 
volved in inferring that formula within that proof. (Derivations will be treated 
formally in Section 5.) The Replacement Postulate (7) states that t> and > (which 
we have restricted to proofs with the same conclusion) commute. In other words, 
"replacing" a subproof q of a proof p with a strictly smaller proof r "results" in a 
proof V that is smaller than the original p, and which does not involve extraneous 
premises. This postulate implies the following weaker commutation property: 

p>q>r ^ 3ve Pf{[{p,r}f"').p>vl>r (8) 

Most proof orderings in the literature obey this monotonicity requirement. 

Every formula a admits a trivial proof a h a by (2,5). On account of (5,7), proofs 
are also monotonic with respect to any inessential premises they refer to, should 
the latter admit smaller than trivial proofs. 

It may be convenient to think of a proof-tree "leaf" as a subproof with only 
itself as a subproof; other subproofs are the "subtrees." There are two kinds of 
leaves: trivial proofs aha (such as inferences I), and vacuous proofs (axioms) a 
with [a]^™ = and [a]ci — a (such as Z). By well-foundedness of >, there are no 
infinite "paths" in proof trees. It follows from Replacement (7) that the transitive 
closure of > U [> is also well-founded. 

3. CANONICAL PRESENTATIONS 

The results in this section are extracted from [Dershowitz and Kirchner 2006] , which 
should be consulted for proofs not given here. 
Define the minimal proofs in a set of proofs as: 

fiP = {pG P- -'3(7 e P. q<p} 

On account of well-foundedness, minimal proofs always exist. 

Note that Pm, CI, Th and Pf arc all monotonic with respect to set inclusion, 
but iJ,Pf is not. Indeed, A C B does not imply iiPf{A) C iiPf{B), and P Q Q does 
not imply ^lP C jjlQ, because a proof p that is minimal in P need not be minimal 
in Q, since Q may contain a, q < p such that q ^ P. Also, fxP C /iQ does not imply 
P Q Q, since P may contain all sorts of non- minimal proofs not in Q. 
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We say that presentation A is contracted when A = [/zP/(A)]^™, that is, A 
contains precisely the premises used in minimal proofs based on A. By a "normal- 
form proof," we mean a minimal proof using any theorem as a lemma (that is, as 
a premise): 

Definition 3.1 (Normal-Form Proof). The normal-form proofs oi a pvesentatioii 
A are the set 

Nf{A) = fiPfiThA) 

This leads to our main definition: 

Definition 3.2 (Canonical Presentation) . The canonical presentation A^ of A 
contains those formula; that appear as premises of normal- form proofs: 

A^ = [Nf{A)f"' 

So, we will say that A is canonical ii A = A^. 

It follows from the definitions that 

TV/ (A) ^ /i/y(A«) C Pf{Ai) (9) 

The next proposition gives a second characterization of the canonical 
presentation — as normal-form trivial theorems: 

Proposition 3.3. 

A« - [Nf{A)nfhA]ci 
Ai = Nf{A) n t/Ta 

Theorem 3.4. The function J is "canonical" with respect to the equivalence of 
presentations. That is: 

A^ = A (Consistency) 

A = B ^ A^ = B'i (Monotonicity) 

A"' = A" (Idempotence) 

By lifting proof orderings to justifications and presentations, the canonical pre- 
sentation can be characterized directly in terms of the ordering. First, proof order- 
ings are lifted to sets of proofs, as follows: 

Definition 3.5. 

— Justification Q is better than justification P if: 

P^Q = ypeP.3qeQ.p>q 

— It is much better if: 

PZiQ = ypeP.3qeQ.p>q 

— Two justifications are similar if: 

Pc^Q = P^Q^P 
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Recall that only proofs with the same conclusion are compared by proof orderings. 

Transitivity of these three relations follows from the definitions. They are com- 
patible: (^ o d) C zi, (^ o ~) C 3, etc. Since it is also reflexive, Zl is a 
quasi-ordering. Note that ZI is not merely the strict version of 3, since every proof 
in P must have a strictly smaller one in Q.^ 

The next proposition states that subproofs of minimal proofs are minimal, bigger 
presentations may offer better proofs, and minimal proofs are the best. 

Proposition 3.6. 

(a) For all proofs p and q and presentations A: 

p e fJ-Pf{A) and p\>q => q e fJ-Pf{A) 

(h) For all presentations A and B: 

Pf{A) Z PfiAuB) 

(c) For all justifications P: 

P ^ HP 

This "better than" quasi-ordering ZI on proofs is lifted to a "simpler than" ^ 
quasi-ordering on (equivalent) sets of formulae, as follows: 

Definition 3.7. 

— Presentation B is simpler than an equivalent presentation A when B provides 
better proofs than does A: 

A>zB = A = B ■ATLAPf{A)UPf{B) 

— Presentations are similar if their proofs are: 

A^B = Pf{A)~Pf{B) 

Similarity « is the equivalence relation associated with ^. 

These relations are also compatible. 

Canonicity may be characterized in terms of this quasi-ordering: 

Theorem 3.8. The canonical presentation is the simplest: 

A>z A^ 

Recalling that all subproofs of normal- form proofs are also in normal form (Propo- 
sition 3.6), we propose the following definitions: 

Definition 3.9 (Saturation and Completeness). 

— A presentation A is saturated if it supports all possible normal-form proofs: 

^lPf{A) = Nf{A) 



^Thc strict version of 3 would say P Z} Q ^ P, that is, \fp G P.3q £ Q. p > q and 3q £ Q.'ip £ 
P. q < p. On the other hand, P ^ Q says Vp £ P.3q £ Q. p > q. This is why we use the term 
"much better" and not "strictly better." 
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— A presentation A is complete if every theorem has a normal-form proof: 

ThA= [Pf{A)nNf{A)]ci 

It can be shown that: 

Lemma 3.10. A presentation A is saturated if and only if 

Nf{A) C Pf{A) 

A presentation is complete if it is saturated, but for the converse, we need an 
additional hypothesis: minimal proofs are unique if, for all theorems c G [Pf{A)\ci, 
there is exactly one proof in Nf{A) with conclusion c. In particular, this holds for 
proof orderings that are total (on proofs of the same theorem). Bear in mind that 
abstract proofs may be designed to represent whole equivalence classes of concrete 
proofs. 

Proposition 3.11. 

(a) A presentation is complete if it is saturated. 

(b) If minimal proofs are unique, then a presentation is saturated if and only if 
it is complete. 

If a theorem has two distinct normal-form proofs p and q, a presentation A such 
that p e Pf{A), but q ^ Pf{A), may be complete but not saturated. For example, 
suppose all rewrite (valley) proofs are minimal but incomparable. In that situation, 
every Church-Rosser system is complete, since every identity has a rewrite proof, 
but only the full deductive closure is saturated, because for every identity it offers 
all rewrite proofs. 

The next theorem relates canonicity and saturation. 

Theorem 3.12. 

(a) A presentation A is saturated if and only if it contains its own canonical 
presentation: 

A^A^ 

In particular, A* is saturated. 

(h) Moreover, the canonical presentation A^ is the smallest saturated set: 

— No equivalent proper subset of A' is saturated. 

— If A is saturated, then every equivalent superset also is. 

Regarding completeness, we have the following: 

Theorem 3.13. If A is complete and setwise minimal (i.e. no B C. A, such that 
B ^ A, is complete), then A C AK 

Proof. By way of contradiction, let c S A\AK Since A^ is the set of all premises 
of normal- form proofs, c is not a premise of any such proof. So, let B = A\ {c}: 
B has the same normal-form proofs as does A, that is, one per theorem. It follows 
that B is complete, contrary to the hypothesis that A is setwise minimal. D 
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Proposition 3.14. 



(a) Presentation A is saturated if and only if THAk. A. 

(b) Similar presentations are either both saturated or neither is. 

(c) Similar presentations are either both complete or neither is. 

The following definition sets the stage for the third characterization of canonical 
presentation — as non-redundant lemmata. Formula:; that can be removed from a 
presentation — without making proofs worse — are deemed "redundant" : 

Definition 3.15 (Redundancy). 

— A formula r is redundant with respect to a presentation A when: 

A>i A\{r} 

— The set of all redundant formula: of a given presentation A will be denoted as 
follows: 

Red A = {reA:A>zA\{r}} 

— A presentation A is irredundant if 

Red A = 11} 

By definition, Red A C A. 

Thanks to the well-foundedncss of > the set of all redundant formula:; in Red A 
is globally redundant: 

Proposition 3.16. For all presentations A: 

A w A\RedA 

Thus, it can be shown that A is contracted (i.e. A = [iJ.Pf{A)]^™) if and only if it 
is irredundant {Red A = 0). 

Furthermore, every redundant r G Red A has a minimal proof p G iiPf(A), in 
which it does not appear as a premise (r ^ [p]^™)- 

The third characterization of the canonical set is central for our purposes: 

Theorem 3.17. A presentation is canonical if and only if it is saturated and 
contracted. 

Informally, A is contracted if it is the set of premises of its minimal proofs; it is 
saturated if minimal proofs in A are exactly the normal-form proofs in the theory; 
it is canonical if it is the set of premises of normal-form proofs. Hence, saturated 
plus contracted is equivalent to canonical. 

4. VARIATIONS ON CANONICITY 

The idea we are promoting is that, given a set of axioms. A, one is interested in the 
(unique) set of lemmata, A'^ C Th A, which — when used as premises in proofs — 
supports all the normal-form proofs of the theorems Th A. These lemmata form 
the "canonical basis" of the theory. In this section, we observe how the canonical 
basis varies as the proof ordering varies. 
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Returning to our simple example, we take the five rules of Section 2 (reproduced 
here for convenience), 



D 



■ 3 



i-i=j 



== i = j 



si — sj c i = k 

extend / and T to disequalities, and add a third rule for disequalities as follows: 



y^J 



i — j j ^ k i ^ i 



ij^j i ^ k j = k 

With these rules, one can infer, for instance, 7^ from 1 7^ 1 and 1 7^ 0, by 
applying Ii^i, Fo=i, Ii^^o and T: 



Ii 



#1 



^ 1 Ii#o 

Suppose we are using a proof ordering based on a precedence on the inference 
rules, or proof combinators, Z, I, S, P, T, F. For simplicity, we use > for both proof 
ordering and precedence. The intended meaning will be clear from the context. 

If F is smaller than all other proof combinators in the precedence, and / nodes 
are incomparable in the proof ordering, then the canonical basis of any inconsistent 
set is {i ^ j '■ i,j £ N}. All positive equations arc redundant, because Fj^k is a 
smaller proof than lj=k ■ 

If P > / in the precedence, then 

a c 
> c 



or P{a, c) > I{c). By the Replacement Postulate (7), every application of P can be 
replaced by an application of / to yield a smaller proof. Hence, no minimal proof 
includes P steps. 

If proofs are compared in a simplification ordering (that is, in an ordering for 
which subproofs are always smaller than their supcrproofs), then minimal proofs 
will never have superfluous transitivity inferences of the form 

u = t t — t 



u = t 

because the trivial proof oi u ^ t (made oi u = t itself) is smaller. 

More specifically, suppose we are using something like the recursive path ordering 
for proof terms and consider the above inference rules for ground equality and 
discquality, with the rule for successor extended to apply to all function symbols of 
any arity. That is, rule S, which infers si = sj from i = j, is generalized here to an 
inference rule for functional reflexivity, that infers f{x) = f{y) from x = y, for any 
function symbol /, of any arity n, and n-tuples x and y of variables. 

Deductive closure. If the proof ordering prefers introduction I of premises over 
all other inferences (including Z), then trivial proofs are best. In that case, the 
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whole theory is irrcdundant (Red Th A — 9); and the canonical basis includes the 
whole theory (A" — ThA). In other words, everything is needed, because each 
sentence constitutes the smallest proof of itself. 

Congruence closure. If the precedence makes functional reflexivity S smaller than 
/ (more precisely: S < T < I), but the only ordering on leaves is I{u,t) < 
I{c[u],c[t]) for any context c, then inferring c[u] ~ c[i] from ?i = t by repeated 
applications of S yields a cheaper proof than /(c[u],c[t]). Ground paramodulation 
can deduce c[u] = c[i] from u = t and c[u] = c\u\ in one step. The canonical basis 
will be the congruence closure, as generated by paramodulation. Redundancies will 
have the form /(ui, . . . , m„) = /('^i, • • • , ^n) for all ui = fi, . . . , u„ = t„ S Th A and 
function symbol / (of any arity n) in the vocabulary. The theory Th A is the clo- 
sure under functional reflexivity of the basis M . Vi A is as in our first example (i.e. 
A = {4 = 2,4 = 0}), then A^ = {2j = 0: j > 0}. The other equalities in ThA = 
{i = j : i = j (mod 2)} are obtained from those in A'^ by applying S (e.g. 8 = 4 is 
derived from 4 = by applying S* to both sides). 

Completion. On the other hand, if the ordering on leaves compares terms in 
some simplification ordering ^ (still assuming S < T < I), then the canonical 
basis will be the fully contracted set, as generated by (ground) completion. The 
redundancies will be the trivialities u = u, for all terms u, and equalities u = t, 
when there is a t = v € ThA{v different than u), such that t ^ v. Operationally, 
u = t can be contracted to u ^ v. For our first example, with A = {4 = 2, 4 = 0}, 
we have A" = {2 = 0}, as all equations in {2j = 0: j > 0} reduce to 2 = 0. 
For another example, if A = {a = c, sa = b} and sa ^ sb ^ sc ^ a ^ b ^ c, 
then I{sa,b) > T{S{I{a,c)), I{sc,b)), and I{sc,b) < T{S{I{a,c)),I{sa,b)), hence 
A^ = {a = c,sc = b}. 

Refutation. If T < /, the combinator F is the smallest in the precedence and 
I(i,j) nodes are measured by the values of i and j, then the canonical basis of 
any inconsistent presentation is a (smallest) trivial discquation {t ^ t}. Indeed, 
all positive equations can be obtained by applying F to t ^ t, and all negated 
equations can be obtained by two applications of T: 

n=t t^t 



n ^ t t = m 

n ^ m 

for all numerals to, n and t. Thus, the process of searching for a refutation of a 
given input set is the process of seeking its canonical basis, or forcing a minimal 
nucleus of inconsistency to emerge. 

Superposition. In the ground case, completion can be done by simplification only. 
However, with a suitable ordering, one can observe also superposition. If one dis- 
tinguishes T steps based on the weight of the shared term j, making T > I when 
j is the greatest, and T < I otherwise, then the canonical basis is also closed 
under superposition, or paramodulation into the larger side of equations. For ex- 
ample, consider k ~ j and j = i. If the shared term j is the greatest, we have 
T{I{k, j), I{j,i)) > I{k,i), meaning that adding fc = i by superposition provides 
a smaller proof. The transitivity proof T{I{k,j),I{j,i)) corresponds to the peak 
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k <^ j ^f i. Otherwise, we have T(I{k,j),I{j,i)) < I{k,i). In particular, if the 
shared term j is the smahest, the transitivity proof T(I{k,j),I{j,i)) corresponds 
to a vaUey k ^ j ^- i, and T{I{k,i), I{j, i)) < I{k, i) means that vaUey proofs are 
the smaUest. 

5. INFERENCE AND DERIVATIONS 

There are two basic apphcations for ordering-based inference: constructing a fi- 
nite canonical presentation when such exists, and searching for proofs by forward 
reasoning from axioms, avoiding inferences that do not help the search. 

Inference steps are defined by deduction mechanisms. In general, a (one-step) 
deduction mechanism -^-^ is a binary relation over presentations, and we call a pair 
A^-^ B, a. deduction step. A deduction mechanism is functional if for any A there 
is a unique B (possibly A itself) such that A ^^ B. Practical mechanisms are 
functional (and usually operate deterministically) ; they are obtained by coupling 
an (nondeterministic) inference system with a search plan (or strategy), to yield a 
completion procedure or proof procedure. Specific procedures may impose additional 
structure, such as singling out one formula as the target theorem or "goal," in which 
case the deduction mechanism applies to labelled formulae; see [Bonacina 1999] for 
a survey. 

Here, we consider only functional mechanisms that apply to presentations, and 
take the notion of a deduction mechanism as a whole. Focusing attention on de- 
duction mechanisms that apply to presentations entails no loss of generality, since 
the abstract set P may be limited on the concrete level to proofs and subproofs of 
a specific goal. 

5.1 Goodness 

A sequence of deductions ^o '^ ^i ^^ • • • is called a derivation.^ We write {Ai}i for 
sequences of presentations, and — in particular — for derivations. Let A^ = yJiAi be 
all formulae appearing anywhere in {^i}i. The result Aoo of the sequence is — ever 
since Huet [1981] — its persisting formulae: 



^oo = liminfylj = IJ f] ^* 



J — *^>^ 

3 i>j 

We say that a proof p persists when its premises do, that is, when [p]'^™ C ^oo- 
Thus, Up persists, so do its subproofs, by Postulate (6). By Proposition 3.6(b), we 
have PfiAi) ^ Pf{A^) for aU i. 

Definition 5.1 (Soundness and Adequacy). 

— A deduction step A'-^ B is sound if _B C Th A. 

— It is adequate if A C Th B. 

— It is both a A = B. 

— A derivation {Ai}i is sound if Aoo ^ ThAi, for all i. 

— It is adequate if Ai C Th A^o . 

— It is both if Ai = Aoo. 



''We do not consider transfinitc derivations in this paper. 
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Adequacy is essentially a monotonicity property, since it implies that Th A C Th B 
whenever A^^ B. 

We will concern ourselves only with sound and adequate derivations. In addition, 
we want derivations to improve gradually the presentation. 

Definition 5.2 (Goodness). 

— A deduction step A^^ B is good ii A'^ B. 

— A sequence {Ai}i is good if Ai ^ ^i+i for all i. 

— A deduction mechanism ^ is good if proofs only get better, in the sense that 
A>^ B whenever A^^ B. 

Goodness is the cardinal principle of canonical inference. From here on in, only 
good, sound, adequate derivations will be considered. 
Since the proof ordering is well-founded, we get: 

Lemma 5.3. For each presentation Ai in a good derivation {Ai}i, we have: 

Pf{A,) ^ Pf{A^) 
ThA, C ThA^ 

Let {A h c} ^{p G P.f{A) : [p]ci — c} signify the proofs of formula c from any 
subset of presentation A. 

Proof. Let pi G {Ai \- c}. Since the derivation is good, there are proofs pj G 
{Aj \- c}, for j > i, such that pi > Pi+i > • • • . By wcll-foundedness, from some 
point on these are all the same proof q. Thus, [g]^™ C Aqc, q G Pf{Aao) and 
Pf{A) =! P.f{Aoc)- That ThA, C Th A^o follows then from the definitions. D 

Note 5.4. For bad (i.e. non-good) derivations this is not the case. To wit, let 

c_ b_ 

b' c 

and consider {c} -^^ {b} -^^ {c} -^^ {6} ^^ • • • . As the derivation oscillates perpetu- 
ally between deriving b from c and c from, b, at the limit A^o = and Th A^o = 0, 
whereas Th Ai — {b, c} for all finite i. 

5.2 Canonicity 

Canonicity of presentations leads to canonicity of derivations, in the sense that a 
derivation deserves to be considered canonical if it generates a canonical limit. More 
generally, a desirable attribute of presentations induces a corresponding character- 
istic of derivations that is sufficient to guarantee that the limit has the desirable 
attribute. The first ingredient for canonicity of derivations is the property that 
once something becomes redundant during a derivation, it will remain such forever, 
or "once redundant, always redundant. " The following lemma implies that good 
derivations have this feature: 

Lemma 5.5. For all presentations A and B: 

Pf{A) ^ Pf{B) => BnRedACRedB 
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Proof. Consider a proof p G Pf{B) that uses a redundant premise a G B D 
Red A C A. Since a G Pf{A), by assumptions (1,2), a must also have an alternative 
(nontrivial) proof q G {A \ {a} h a}, such that a > q. By assumption, there is an 
r G Pf{B) such that q > r. By the postulates of subproofs, p>a>r implies the 
existence of a proof p' G Pf{B U {a}) = -P/(i?) such that p > p'. If a G [p']^", 
then this process continues. It cannot continue forever, so we end up with a strictly 
smaller proof not involving a, establishing a's redundancy vis-a-vis B. D 

Proposition 5.6. If a derivation {Ai}i is good, then its limit supports the best 
proofs: 

A ^ A 

Proof. One direction, namely Pf(Aao) ^ Pfi^*), follows by Proposition 3.6(b) 
from the fact that Aoq C ^^. To establish that /'/(A*) 3 Pf{Aoo), we show that 
^Pf{A^,) 3 Pf{Aoo) and rely on Proposition 3.6(c). Suppose p G ^Pf{A^,). It 
follows from Eq. (5) and Proposition 3.6(a) that [p]^'"- C fiPf{A^,). By goodness, 
each a G [p]^™ persists from some Ai on. Hence, [p]^™ C A^o and p G Pf{Aoc)- D 

Definition 5.7 (Canonical Derivations). 

— A derivation {^i}i is completing if its limit is complete. 

— It is saturating if its limit is saturated. 

— It is contracting if its limit is contracted. 

— It is canonical if it is both saturating and contracting. 

Lemma 5.8. 

(a) A good derivation {Ai}i is completing if and only if every theorem of Aq 
eventually admits a persistent normal-form proof: 

ThAo C [Pf{Aoo)nNfiAo)]ci 

(h) It is saturating if and only if all normal-form proofs emerge eventually: 

NfiAo) C Pf{A^) 

(c) It is contracting if and only if no formula remains persistently redundant: 

Red ^* n y4oo = 

Proof. Completeness of the limit is Th A^o = [Pf(Aoo) n Nf(A^)]ci. By 
Lemma 5.14, we know that Aqo = ^o (ThAo = Th Aoo) for all derivations 
of concern to us. Therefore, [Pf{Aoo) n Nf{A^)]ci = [PfiA^) n Nf{Ao)]ci Q 
[Pf{Aaa)]ci = ThAoo = ThAo. With the above condition, we get Th A^o = 
[Pf{Aoc) n Nf{Aao)]c'i, as desired. The "only-if" direction is straightforward. 

Similarly, by Lemma 3.10, the condition Nf{Ao) C Pf[Aao) gives saturation. 

By Proposition 5.6, A, « A^o and Pf{A^) ~ Pf{Aoc). By applying Lemma 5.5 
to Pf{A^) Zl Pf[Aao), one gets Red A^ f) A^o ^ RedAoo- If the limit is contracted. 
Red Aoo — 0, so that we have Red A^, n A^o C RedAoo — 0- For the "if" direction, 
by applying Lemma 5.5 to Pf{Aoc) ^ Pf{A^,), one gets Red A^o fl A* C RedA^,. 
Since Red A^o ^ A^o C A, , we have Red A^^ = Red A^o n A* C RedA^,. So, if the 
condition i?e(i A, nAoo — holds, then Red A^c = Red AooCiAoo C Red A^^CiAoo = 0, 
and Aoo is fully contracted. D 
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Lemma 5.9. A sufficient condition for a good derivation {Ai\i to he completing 
is that each non-normal-form proof eventually becomes much better: 

\J^lPf{Af)\Nf{A^) D \JPf{Ai) 

i i 

Proof. By Lemma 5.3, if pi G iJ.{Ai h c} then q e {Aoc \- c}, for some q. If 
q e Nf{Ao), then c £ [Pf{Aao) H Nf{Ao)]ci and we are done. Otherwise, the 
sufficient condition imphes that, for some fc, there is a proof qk G Pf{Ak) of c such 
that Pi > q> qk- Completeness fohows by induction on proofs. D 

Lemma 5.10. A good derivation {Ai}i is canonical if and only if 

A — A^ 

Proof. Assume the derivation is canonical, that is, saturating and contracting. 
Saturating means Nf{Ao) C Pf{Aoc), hence [7V/(Ao)]^" = M) '^ -^oo. Contracting 
means Red Aoc = 0, from which it follows that A^o ^ j4q. (By way of contradiction, 
if there were an x G Aoo, but x ^ Aq, this x would be redundant, contradicting 
the contracting hypothesis.) Together, these conclusions give Aq — Aoo- The other 
direction is trivial. D 

In summary, the limit of a derivation is complete, contracted, saturated, if the 
derivation is completing, contracting, saturating, respectively, where saturated is 
stronger than complete, and saturated and contracted together mean canonical. 

5.3 Compactness 

Goodness implies that if any proof shows up during a derivation, then there is a 
better or equal proof in the limit (cf. Lemma 5.3). The converse property, namely 
that if there is a proof in the limit, then there must also have been a proof along 
the way, is ensured by continuity: 

Definition 5.11 (Continuity). (Minimal) Proofs are continuous ii 
liminf/xF/(A,) = fiPfiAoc) (= ^IPfi\im■mi A,)) 

for any good sequence Aa ^ Ai 'j^ ■ ■ ■ . 

In other words, the operator iiPf is continuous for any chain: the limit of the chain 
of the images is equal to the image of the limit of the chain. 

In turn, for continuity suffices that minimal proofs use only a finite number of 
premises. We call this property compactness (of proofs), because it is used tradi- 
tionally to infer compactness of a logic (namely, that a set of formulae is unsatisfi- 
able if and only if it has a finite unsatisfiable subset) from its completeness (viz. a 
presentation is unsatisfiable if and only if it is inconsistent).® 



^Indeed, if a set A is unsatisfiable, there is a proof of F (falsehood) in Pf{A) (unsatisfiable implies 
inconsistent). Take a minimal proof p S fiPf{A) of F, and let A' be the finite set [p]^™; since 
p £ Pf{A'), A' is unsatisfiable (inconsistent implies unsatisfiable), and is a finite subset of A. 
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Definition 5.12 (Compactness). An ordered proof system is coTnpacf if minimal 
proofs use only a finite number of premises: 

ype^iPfiA). |[p]^"|<oo 

For ordinary inference systems, even non-minimal proofs are finitely based. 
Lemma 5.13. Compactness implies continuity. 

Proof. Continuity requires [jjCltyj IJ-Pfi^t) = A*-P/(Uj nj>j^O for good se- 
quences. 

To show iiPfiUj ni>j Ai) C Uj ni>j fiPf{A,): Let p e fiPfiUj n,>j A,) = 
/i-P/ (Aoo). By compactness, there are only finitely many a € [p]^™. Let j be 
the smallest index in the derivation such that all a G [p]^™ are in Aj. Then 
p € Pf{Aj). Second, p G ^Pf{Aj), because p G iJ,Pf{A^), and (by the previous 
lemma) Aj cannot provide a strictly better proof. Third, p G ni>jfiPf{Ai), because 
aU a G [p]^™ persist, since [p]"^'"" C A^o- It follows that p G U^ r]i>j ^iPf{A^). 

For Uj ni>j ^iPf{Ai) C nPf{Uj r]i>j Ai): Let p G r\i>j^iPf{Ai) for some j. It 
follows that for every premise a G [p]^™, a G r\i>jAi, whence a G \Jjr\i>jAi = A^q. 
This means that p G P/(Aoo). As above, were p not minimal, on account of 
compactness and goodness, it would have already turned non-minimal at some 
stage k. But p is minimal at all stages i > j, so p € ^Pf{Aoo). D 

Lemma 5.14. If proofs are continuous, then any good derivation {Ai}i is sound 
and adequate. That is, for all i, 

Ai ^ ^oc 

Proof. Lemma 5.3 gives adequacy, regardless of continuity: Th Ai C ThAoo- 
Suppose, now, that c G ThAoo, with proof p G iiPf{Aoc)- By continuity, p G 
r\i>j fiPf {Ai) for some j. Thus, c G Th Ai for all i > j. That c G ThAi also for 
i < j follows from goodness, since Ai ^ Aj implies Ai = Aj (see Definition 3.7). D 

Note 5.15. This does not necessarily hold for infinitary systems that violate the 
compactness hypothesis. Let all proofs be incomparable, including (for all i and j): 

^ Oj flo, ai, . . . 



ai c c 

The derivation {oj : j < i}i is good, but only its limit includes the infinitary proof. 

6. COMPLETION PROCEDURES AND PROOF PROCEDURES 

The central concept underlying completion is the existence of critical proofs. Com- 
pletion alternates "expansions" that infer the conclusions of critical proofs with 
"contractions" that remove redundancies. More generally, theorem proving with 
simplification (e.g. Dershowitz 1991b; Bonacina and Hsiang 1995; Bachmair and 
Ganzinger 1994) entails two processes: Expansion, whereby any sound deductions 
(anything in Th A) may be added to the set of derived theorems; and Contraction, 
whereby any redundancies (anything in Red A) may be removed. This inference- 
rule interpretation of completion, accommodating both expansion and contraction, 
was elaborated on in [Bachmair and Dershowitz 1994]. 
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Definition 6.1 (Expansion and Contraction). 

— A deduction step A^^ A(J B is an expansion provided B <Z Th A. 

— A deduction step AU B ^^ A is a. contraction provided AU B '^ A. 

It is easy to see that: 
Proposition 6.2. 

(a) Expansions and contractions are good. 

(b) Derivations, whose steps are expansions or contractions, are good. 

Definition 6.3 (Criticality). 

— A minimal proof p G pLPf{A) is critical if it is not in normal form, but all its 
proper subproofs are: 

P e fiPfiA) \ Nf{A) 

'^q. p>q => qe Nf{A) 

— We use C(A) to denote the set of all such critical proofs in A. 

— The critical theorems of a presentation A are the conclusions of its critical 
proofs, or [C{A)]ci. 

— A formula is critical for A if it is a premise of a proof smaller than a critical 
proof in C{A). 

Lemma 6.4. The canonical presentation has neither critical formulce nor critical 
theorems. 

Proof. By the definition of critical proof, C(A') C pLPf{A^) \ Nf{A^). Since 
tiPfiA*) \ Nf{A*) = 0, by the definition of Nf, it follows that C{Ai) = 0, and A« 
has no critical theorems or critical formulae. D 

Since [Huet 1981], fairness has been seen as the fundamental requirement of 
derivations generated by completion procedures. Here, we define two fairness prop- 
erties, one each for complete or saturated limits: 

Definition 6.5 (Fairness). 

— A good derivation {A^ji is fair if 

C{A^) D Pf{A,) 

— It is uniformly fair if 

aZ\M ^ Pf{A,) 

Fairness means that all critical proofs with persistent premises are "subsumed" 
eventually by strictly smaller proofs, whereas uniform fairness predicates the same 
for trivial proofs with persistent premises. 

Theorem 6.6. Presentation A is complete if C{A) Zl Pf{A). 
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Proof. Assume, by way of contradiction, that A is incomplete, in other words, 
that [Pf{A) n Nf{A)]ci C ThA. Then there is a c e ThA such that c ^ [Pf{A) D 
Nf{A)]ci, or there is no proof of c in Pf{A) n Nf{A). However, there are proofs 
of c in Pf{A): let's take a minimal one, that is, let p S ii{A h c}. By the above, 
p ^ Nf{A). Up is not in normal form, it means that it has some subproof(s) that 
is not in normal form, that is, some q ^p that is not in normal form. By the well- 
foundedness of <, let q be a minimal (with respect to <) such proof. Minimality 
with respect to < means that all subproofs of q are in normal form. Thus, we have 
a (possibly trivial) subproof q of p, which is not in normal form, but such that all its 
subproofs are. But this is the definition of critical proof: q G C{A). The hypothesis 
C{A) ZJ Pf{A) implies that there exists a proof r G Pf{A) such that r < q. Since 
we have p'>q>r,hy Replacement (8), there exists a p' G PfiA), such that p' < p, 
with r in place of q, i.e. p > p' >r. This contradicts the fact that p is minimal. D 

Corollary 6.7. // a good derivation is fair, then its limit is complete. 

Proof. By the definition of fairness we have C{Aoo) ^ Pf{^*)- By Proposi- 
tion 5.6, PfiA^) ~ Pf{Aoo), so that C{Aao) Zi Pf{Aoo). By Theorem 6.6, Aoo is 
complete. D 

This suggests completing an axiomatization Aq by adding, step by step, what is 
needed to make for better proofs than the critical ones. 

For example, suppose a proof ordering makes c > \ and ^ > 6. Start with 
Aq — {c} and consider c. Were c to persist, then by fairness a better proof would 
evolve, the better proof being -. If 6 is in normal form, then b G A^o and both 
minimal proofs - and b persist. 

Another example: /iP = {&, c, -} and A = {b}, then A-^^ A-^^ ■ ■ ■ is fair, since 
Aoc = A and C(Aoo) = 0- The result is complete but unsaturated (c is missing). 

Clearly, a fair derivation is also completing. On the other hand, completing 
does not imply fair, because the limit could feature a normal-form proof of some 
c G ThAo, without having reduced all persistent critical proofs of c. The two 
notions serve different purposes: completing is the more abstract and represents 
the condition for attaining a complete limit. Fair is stronger and more concrete, as 
it specifies a way to achieve completeness by reducing all persistent critical proofs. 

A saturated limit is not necessarily contracted, unless the derivation is contract- 
ing, in which case it is canonical: 

Theorem 6.8 (Fair Completion). Contracting, fair derivations are canoni- 
cal, provided minimal proofs are unique. 

Proof. This follows from Lemma 5.8(c) (contracting derivation implies con- 
tracted limit), Corollary 6.7 (fair derivation implies complete limit). Proposi- 
tion 3.11 (saturated and complete are equivalent if minimal proofs are unique), 
and Theorem 3.17 (saturated and contracted imply canonical). D 

By Proposition 3.3, this also means that each a G Aoc (= A ) is its own ultimate 
proof a G Nf{A), so is not susceptible to contraction. 

We are left with the task of identifying sufficient conditions for saturation, in 
case minimal proofs arc not unique: 
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Theorem 6.9. Presentation A is saturated if and only if A\Ai Zl Pf{A). 

Proof. Recall that A saturated means fiPf{A) = Nf{A). 

First, we show that A\ A^ Z\ Pf{A) implies saturation, assuming, by way of 
contradiction, that fiPf{A) ^ Nf{A). Then, there is a theorem c <E Th A for which 
a normal- form proof p* is absent from fiPf{A). Instead, there is a minimal non- 
normalized proof p G iiPf{A) \ Nf{A). So, there is some x S [p]^™ \ A", since 
p would be in normal form were [p]^™ C AK By hypothesis, x > r for some 
r G Pf{A). By Replacement (8), there exists a w G Pf{A), such that p > v \> r, 
contradicting the minimality of p. 

For the other direction, suppose ^Pf{A) = Nf{A). Employing Proposition 3.6(c), 
we have 1\A» ^ Pf{A) ^ nPf{A) = Nf{A). But \ix& A\A^, then x ^ Pf{A^) 3 
Nf(A) (the inclusion is from (9)), so there must be some other, strictly smaller proof 
than X in Nf{A). So, in fact, 1\ A« D Nf{A) = ^PfiA) ^ Pf{A), as desired. D 

By the above theorem, if A is saturated, A\ A^* is redundant (i.e. A\ A" = Red A). 

Corollary 6.10. A good derivation is uniformly fair if and only if its limit is 
saturated. 

Proof. Uniform fairness says that Aoo\Ai Zl Pf{A^). Since Pf{A^) ~ Pf{Aac) 
by Proposition 5.6, this is equivalent to A^c \ A" Zl Pf{Aoc), which is equivalent to 
Aqo being saturated by Theorem 6.9. D 

7. INSTANCES OF THE FRAMEWORK 

A class of completion procedures can be described as deduction mechanisms, 
wherein each step Ai -^^ A^+i is the composition of an expansion that adds some 
formulae, followed by a contraction that removes all redundant formula; (cf. Der- 
showitz 1985, Sect. 3.1). In other words, we are looking at deductions of the form 

A^ {AU D)\ where D is the expansion and B^ =B\ Red B is B = AuD after 
contraction. 

One possibility for such a mechanism is to expand with all critical theorems: 

Definition 7.1 (Critical Completion). Critical completion is a sequence oi steps: 



Critical: A -^ {A Li [C (A)] cif 



An alternative is to add only something better: 

Definition 7.2 (Bulk Completion). Bulk completion is a sequence of steps: 



Bulk: A -^ (ylU[B(A)]^") 



where B{A) is a minimal subset of Pf{A) (minimal, with respect to C) that is much 
better than critical proofs: C{A) Z B{A). 
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Another variation on this theme is "mass completion," where the expansion com- 
ponent of each step Ai ^^m ^i+i adds normal- form trivial theorems, en masse, 
followed by contraction: 

Definition 7.3 (Mass Completion). Mass completion is a sequence of steps: 



Mass : A -> (A U [M{A)]ci) 



where 

M{A) = {pe fiPf{A):p<pAyq<ip.q^q} 

and p is short for [p] ci , the trivial proof of the conclusion of p. 

By Proposition 6.2: 

Theorem 7.4. Critical completion, bulk completion and mass completion are all 
good. 

A presentation A is stable under a deduction mechanism --^ if _B = A whenever 
A^ B. 

Theorem 7.5. The canonical presentation is stable under critical, bulk and 
mass completion. 

Proof. By the proof of Lemma 6.4, ^iPfiA^) \ Nf{Ai) = and C(A«) = 0. 
It follows that [C{A^)]ci ^ 0- Second, the condition C(A») Zl B(^») is satisfied 
vacuously and the minimal subset of PfiA^) is 0, so that B{A^) = and [B(yl)]^™ = 
0. Third, since there are no better proofs than those provided by A* (Theorem 
3.8), M(j4') = and [M(A)]c'; = 0. Hence, expansions by critical, bulk and mass 
completion do not apply. Because A'^ is contracted (by Theorem 3.17), we have 
Red A'^ = 0, and contraction does not apply either. So, for all three mechanisms, 
A" -^ A" only. D 

Let A^""^ and A^^^*^ denote the limits of derivations by bulk and mass completion 
from A, respectively. Similarly, let A^""* and A^^^^^ denote the sets of all derived 
formulae in those derivations. 

Theorem 7.6. Bulk completion is canonical, provided proofs are continuous and 
minimal proofs are unique, in which case 

^Bulk ^ ^i 

Proof. Let {Ai}i be a derivation by bulk completion starting from A = Aq. By 
Theorem 6.8, canonicity of the limit requires that derivations by bulk completion 
be fair and contracting. Fairness says that 

VpeC(A^""^). 3qeP/(AB-ik).p>^ 

Let p be a proof in C(A^^^) and let i be the smallest index such that p G C{Ai). 
There must be such an i by continuity (Definition 5.11), given goodness — per 
Theorem 7.4. By the definition of bulk completion and the nature of expan- 
sion and redundancy removal (Propositions 3.6(b) and 3.16), C{Ai) Zl B{Ai) Zl 
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PfiiAi U [B{Ai)]P"'f) ^ P.f{A,+i). It follows that there is some q G Pf{A,+i) C 
P/(^^""^), such that q < p, establishing fairness. As bulk completion removes re- 
dundancies immediately, its derivations are also contracting; see Lemma 5.8(c). D 

Theorem 7.7. Mass completion is canonical, provided proofs are continuous 
and minimal proofs are unique, in which case 

Proof. For mass completion, it is convenient to show that the limit is satu- 
rated in terms of the characterization of A" as all trivial normal-form theorems 
(Proposition 3.3). Suppose c G A" and c is in normal form, and let p G pPf (A^^^^) 
be a minimal proof of c in the limit, which exists by virtue of Theorem 7.4 and 
Lemma 5.3. Since minimal proofs are unique, c and p are comparable. Suppose that 
c < p. Let q be the smallest subproof of p such that q > q, and let i be the smallest 
index (as in the previous proof) such that q G fiPf{Ai). Thus, q G M(Ai), and, by 
the definition of mass completion, q and p (by (7)) have better proofs in Ai^i, and 
hence (by goodness and Lemma 5.3) in A^^*''^, contradicting the minimality of p. 
So c = p, and c G ^^'^''% as desired. Hence, A^''*''' is saturated. But A^'''''' is also 
contracted, so, by Theorem 6.8, mass completion is canonical. D 

In the equational case, persistent critical pairs are at one and the same time both 
critical formula and critical theorems, since the proof ordering is designed so that 
the trivial proof using a critical pair is always smaller than the peak from which the 
critical pair is derived. So, expansions by C{A), B{A) and M{A) are essentially the 
same, and bulk, mass and critical completion lead to the same result. In general, 
the different methods of expansion differ, as the following example demonstrates: 

Suppose formula a has three proofs: a, p = -, and q = -, and assume a proof 
ordering that orders proofs of a by a > p > g, proofs of c by - > ^ > ^ > c, 
while b is the only proof of b. The only critical proof using A = {b} is -: it is 

minimal in Pf{A), it is not in normal form, and its only subproof b is in normal 
form. Note that - is not critical, although it is minimal and not in normal form, 
because its subproof p is not in normal form. Critical completion generates the 
critical theorem a and then deletes it right away, because a is redundant, since 
a > p. Thus, derivation by critical completion is unfair, because a proof smaller 
than p never arises. The limit of the derivation by critical completion is {6} itself, 
which is not canonical, since it provides no normal form proofs for cither a or c. 

On the other hand, bulk completion generates the critical formula c, premise of 
- < -. Similarly, mass completion generates c, because M{A) = {-}, since - is 
the minimal proof of c in A, c < 2, and its only subproof p does not share this 
property, as a > p. By adding c, the critical proof p is replaced by q. The critical 
formula c is not redundant and persists. Thus, the derivation is fair, and its limit 
{6, c} is canonical, with normal form proofs b, c and -. The behavior of critical 
completion, on one hand, and bulk or mass completion, on the other, would be the 
same, under a non-total proof ordering defined as the one above, except with proofs 
of c ordered by ^ > - > c, - > - > c, where - and ^ are incomparable. 

A subtle point is that bulk completion does not add all critical formulae, but only 
sufficiently many to provide a smaller proof for each critical proof. (This is the gist 
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of the C{A) ZJ B{A) condition in the definition of bulk completion.) To appreciate 
the difference, consider a proof ordering such that c > — > -, for z > 0, with all 
the — incomparable. If the definition of bulk completion required it to add all the 
ai's, it could not be considered a "mechanical" process. On the other hand, the 
definition of bulk completion makes it sufficient to add just one of the ai's. 

Lastly, the hypothesis that minimal proofs are unique is actually needed. Indeed, 
consider proofs a, ^ and b with an empty ordering and let A = {a}. The minimal 

proofs in A are a and |-. Since fo < f does not hold, M{A) is empty and mass 
completion does not generate b. Similarly, C{A) is empty and bulk completion 
cannot generate b either. 

Returning to the ground equational case, with inference rules P, I, T, S, Z, 
where S is the inference rule for functional reflexivity given in Section 4, let ^ be a 
total simplification-ordering of terms, let P > 7 > T > 5 > Z in the precedence, let 
proofs be greater than terms, and compare proof trees in the corresponding total re- 
cursive path simplification-ordering. Ground completion is an inference mechanism 
consisting of the following inference rules: 



Deduce: E U {w = t[u]} ^ E U {w ^ t[v]} if u = v e E 

and u ^ V 

Delete: E U {t = t} -^ E 



Operationally, completion implements these inferences "fairly" : No persistently 
enabled inference rule is ignored forever. 

Theorem 7.8 (Completeness of Completion). Ground completion 

results — at the limit — in the canonical, Church-Rosser basis. 

Proof. Ground completion is good, since Deduce and Delete do not increase 
proofs (-^^ ^'iZ)- III particular, 

I{w,t[u]) > TiI{w,t[v]),S^Iiu,v))) 

if u ^ V, where n is the number of applications of S needed to build the context 
t, since t[u\ 3> t[v] and t[u\ ^ u ^ v. Ground completion is fair and contracting. 
For example, the critical obligation 

w=t t^v ^ 



W ^ V 



when t :^ w,v, is resolved by Deduce. Also, since T > S, non-critical cases resolve 
naturally: 

w = t t — V w = t t = V 



fw = ft ft^fv > 



fw = fv fw = fv 

or T{S{I{w,t)),S{I{t,v))) > S{T{I{w,t),I{t,v))). Since the proof ordering is total, 
minimal proofs arc unique, and Theorem 6.8 applies. D 
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8. DISCUSSION 



Completion procedures have been studied intensively since their discovery and ap- 
plication to automated theorem proving by Knuth and Bendix [1970] and Buch- 
berger [1985]. The fundamental role of proof orderings in automated deduction, 
and the interpretation of completion as nondeterministic application of inference 
rules, received systematic treatment in [Bachmair and Dershowitz 1994]. The com- 
pletion principle can be applied in numerous situations [Dershowitz 1989; Bonacina 
and Hsiang 1995], including the following: 

— equational rewriting [Peterson and Stickel 1981; Jouannaud and Kirehner 
1986; Bachmair and Dershowitz 1989]; 

— Horn theories [Kounalis and Rusinowitch 1991; Dershowitz 1991a; 1991b]; 

— induction [Kapur and Musser 1987; Fribourg 1989; Bachmair and Dershowitz 
1994]; 

— unification [Doggaz and Kirehner 1991]; and 

— rewrite programs [Bonacina and Hsiang 1992; Dershowitz and Reddy 1993]. 

Our abstract framework can be applied to re-understand completion mechanisms 
in a fully uniform setting. Because we have been generic in our approach, the 
results here apply to any completion-based framework, including standard ones, 
like ground completion and congruence closure,^ as illustrated herein, equational 
completion (see [Burel and Kirehner 2006]), or completion for unification, and also 
to derive new completion algorithms, such as for constraint solving. 

In [Bachmair and Dershowitz 1994], a completion sequence is deemed fair if all 
persistent critical inferences are generated, and criteria are employed to eliminate 
redundant inferences from consideration. In [Nieuwenhuis and Rubio 2001, fn. 8], an 
inference sequence is held to be fair if all persistent inferences are either generated 
or become redundant. The approach of [Bonacina and Hsiang 1995] distinguishes 
between fairness requirements for proof search and for saturation. The notion of 
fairness was formulated in terms of proof reduction with respect to a proof ordering, 
and made relative to the target theorem, suggesting for the first time that fairness 
should earn one a property weaker than saturation. Specifically, a derivation was 
considered fair if whenever a minimal proof of the target theorem is reducible by 
inferences, it is reduced eventually; see [Bonacina 1992, Chap. 2]. The treatment 
of fairness propounded here combines all these ideas. Fairness — for us — means 
that all persistent critical proofs are reduced, but it only attains completeness, not 
saturation. As we have seen, a stronger version of fairness, namely uniform fairness, 
is needed for saturation when the proof ordering is partial. * 

Furthermore, by putting the accent on proof search and proof reduction, the 
approach of [Bonacina and Hsiang 1995] leads to an appreciation of the role of 



^That ground completion can be used to compute congruence closure has been known since 
[Lankford 1975]; using congruence closure to generate canonical rewrite systems from sets of 
ground equations has been investigated further in [Gallier et al. 1993; Plaisted and Sattler-Klein 
1996], among others; a recent survey comparing different ground completion and congruence 
closure algorithms can be found in [Bachmair ct al. 2003]. 

*The term "uniform fairness" was introduced in [Bonacina 1992] for that property which guaran- 
tees saturation. 
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contraction as productive inference, as opposed to pure deletion. This is reflected 
here in the emphasis on canonicity, rather than saturation alone. 

Bulk completion, as investigated here, is an abstract notion. Concrete procedures 
are obtained by coupling the inference system with a search plan that determines 
the order in which expansion and contraction steps take place. From a practical 
point of view, fair and contracting are two requirements for the search plan: it 
should schedule enough expansion steps to be fair, hence complete, and enough 
contraction steps to be contracting. Specific search plans may settle for some ap- 
proximation of these properties. The two are intertwined, as a basic control issue is 
how best to avoid performing expansion inferences from premises that can be con- 
tracted, because such expansions are not necessary for fairness, and would generate 
redundancies. This principle has led many to design search plans called by various 
authors simplification-first, contraction-first, or eager contraction plans. Our defi- 
nition of critical obligations also allows one to incorporate "critical pair criteria," 
as, for example, in [Bachmair and Dershowitz 1988]. 

On the other hand, making sure that contraction takes priority over expansion 
is not cost-free, because it involves keeping a potentially very large database of 
formulae inter-reduced. In turn, this involves forward contraction, that is, contract- 
ing newly generated formulae with respect to already existing ones, and backward 
contraction, that is, contracting formulae already in the database with respect to 
new formulae that survived forward contraction. Conceptually, forward contraction 
is considered to be part of the generation of a formula, while backward contraction 
is considered to be a bookkeeping task for the database of formulae. In prac- 
tice, an observation that helped streamline implementations of completion, and of 
theorem-proving strategies based on completion, was that backward contraction 
can be implemented by forward contraction. That is, it sufflccs to detect that a 
formula in the database is reducible, and then subject it to forward contraction, as 
if it were newly generated. This way, formulae generated by backward contraction 
are treated like formulae generated by expansion. This observation appeared in 
implementations since the late eighties, most notably in Otter [McCune 1994]. 

In our framework, the endeavor to implement contraction efflciently is the en- 
deavor to make contracting derivations efficient. A sufficient condition for being 
contracting is Red A^ n A^c = 0. One may approach the problem by aiming at 
ensuring that Red Ai = 0, for all stages i of a derivation. The practical meaning 
and feasibility of such a requirement depends on how one defines the map between 
the prover's operations and the steps Ai ^^ Ai^i of a derivation. If every single 
expansion or contraction inference done by the prover is a step Ai -^^ ^i+i, it is tri- 
vially impossible to have Red Ai = 0. Thus, either Ai -^^ A^+i corresponds to many 
inference steps (as is the case for bulk completion), or one aims at implementing 
Red A* n Aoc = by ensuring that Red Ai = 9 holds periodically. 

For instance, take Otter's well-known given-clause loop. The prover maintains 
a list of formulae already selected as expansion parents and a list of formulae to 
be selected. At every iteration, it selects a given clause, performs all expansions 
between the given clause and the already selected clauses, and moves the given 
clause to the already selected list. Every new formula is forward-contracted after 
its generation, and those that survive forward contraction are added to the list 

ACM Transactions on Computational Logic, Vol. V, No. N, Month 20YY. 



26 • M. P. Bonacina and N. Dershowitz 

to be selected, and applied to backward-contract elements of both lists until no 
further backward contraction applies. Thus, if A is the union of the two lists 
already selected and to be selected, Otter's given clause loop aims at something 
like Red Ai = 0, for all z's that correspond to a stage after an iteration of the loop. 

A more conservative approach is to implement Red A,, n Aoo = by ensuring 
that Red Bi = holds periodically and only for a subset Bi C Ai. This is the 
approach of the so-called DISCOUNT version of the given-clause loop, where only 
the subset of formulae eligible to be expansion parents (the already selected list 
augmented with the given clause) is kept inter-reduced. However, when a formula 
in Bi is backward-contracted, its direct descendants in Ai \ Bi can be deleted as 
"orphans" [Schulz 2002]. Most of Otter's successors, such as Gandalf [Tammet 
1997], Spass [Weidenbach et al. 1999], Vampire [Riazanov and Voronkov 2002] and 
Waldmeister [Hillenbrand 2003], implement both versions of the given-clause 
loop, while the E prover [Schulz 2002] features only the DISCOUNT version. 

Since contraction is, at the same time, an essential ingredient for efficiency and 
an expensive task, the appropriate balance of contraction and efficiency is still a 
subject of current research in the implementation of theorem provers. 
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